Please list all of your cloud services that are in use by your organisation and provided by a third party.
Section A2: Scope of Assessment · Cyber Essentials Montpellier
What this question is really asking
List all third-party cloud services in use — SaaS (Microsoft 365, Google Workspace, Salesforce), IaaS (AWS, Azure, GCP), and any other cloud platforms. Each cloud service must meet the relevant Cyber Essentials requirements. Missed cloud services are a very common gap — include services used by individuals, not just corporately procured ones.
What satisfies this requirement
A list is requiredInclude all IaaS, PaaS, and SaaS services. Cloud services cannot be excluded from CE scope.
What to prepare before your assessor visit
Cloud services are the most frequently incomplete section. Every SaaS tool matters — not just Microsoft 365 and Salesforce, but project management tools, HR platforms, customer portals, and any service where organisational data is stored or processed. Ask staff what they actually use, not just what IT has formally approved. Shadow IT is very common and assessors know it — a thorough list builds confidence; an incomplete one does the opposite.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.